If you're running the 2.3 branch of WordPress it's a required update, as it fixes a security issue (among other things)

For the issue to be exploitable. the bad guy would need an account on your blog (even if it's just subscriber). When he has an account he can change the content of any post on your blog. (Inserting a malicious ifame is what we've seen most so far)